Computer security is extremely important technology for protecting a computer system from illicit use by a third party with malicious intent. A simple example of user authentication for preventing illicit access to a computer system is a method using a user ID and a password that have been registered in an authentication server in advance. With regard to user authentication, various methods have been proposed in accordance with a required security level and a user environment.
Challenge and response authentication is a technique for preventing a password or the like from being stolen during communication by implementing special processing on a character string used for user authentication. This authentication technique is typically employed in an environment such as the Internet, where user authentication must be performed using a communication path on which safety is not guaranteed.
In the challenge and response authentication, first, a client wishing to receive authentication transmits an authentication request to a server, whereupon the server transmits a random string of numerical values (known as a “challenge”), for example, in response thereto. The client creates a string of numerical values known as a “response” by synthesizing a password input by a user with the challenge in accordance with a random number table, for example, and transmits the response to the server. On the server side, a response is created in the same manner from the transmitted challenge and the password of the user, which has been registered in advance, and the created response is compared with the transmitted response. When the responses match, this means that the password is correct, and authentication is completed successfully.
Patent Document 1 discloses a user authentication system serving as a further development of challenge and response authentication, in which a geometric pattern from which a password (referred to as a “password derivation pattern” or a “password extraction pattern”) is derived is used instead of the password itself. More specifically, Patent Document 1 discloses a user authentication method and a user authentication system in which a password derivation pattern is registered in advance in an authentication server for each user, the authentication server generates a presentation pattern and presents the presentation pattern to the user when the user uses the system, thereby allowing the user to input, in regard to the presentation pattern, a password corresponding to the password derivation pattern of the user, the authentication server authenticates the input password based on the presented presentation pattern and the registered password derivation pattern of the user, and a usage target system is notified of the authentication result. In Patent Document 1, an information communication terminal owned by the user is used to present the presentation pattern.
Further, Patent Document 2 discloses a site confirmation method with which a user can easily confirm whether or not a server (or a site) accessed by the user is legitimate. More specifically, Patent Document 2 discloses a site confirmation method including a first display step in which a first server displays predetermined confirmation information on a first information terminal device when a user accesses a first server for managing a site from the first information terminal device, and a second display step in which a second server displays the predetermined confirmation information on a second information terminal device when the user accesses the second server from the second information terminal device. Patent Document 2 also discloses a confirmation method in which a security token (a hardware token) is used in place of the second server and the second information terminal device.